Created attachment 873883 [details] dmesg dump Description of problem: EFI: Problem loading in-kernel X.509 certificate (-129) Version-Release number of selected component (if applicable): Fedora 20 x86_64 How reproducible: Every boot. Steps to Reproduce: 1. Clean Install 2. Everytime Computer is turned on 3. Also when shutting down and rebooting... Actual results: [ 0.809006] EFI: Problem loading in-kernel X.509 certificate (-129) [ 0.809079] EFI: Problem loading in-kernel X.509 certificate (-129) [ 0.810548] EFI: Problem loading in-kernel X.509 certificate (-129) Expected results: Flawless/Clean boot with no warnings/errors... I did not have this back in F18 under UEFI mode. Additional info: Asus Vivobook S200E
Cedric, thank you very much for your report. However, whatever component that is causing, it is definately not x509watch. As the kernel guys might know the right component better than me, I am just re-assigning to the kernel for now.
Same issue on Lenovo z510 with Fedora 20 x86_64 under UEFI mode. System works but on every boot show in yellow the message: Problem loading in-kernel x.509 certificate (-129)
Same problem on ASUS Z77-A Could this be fixed by changinf a firmware setting?
This "error" is no longer reported when I go into the ASUS Z77-A UEFI firmware settings and disable "secure boot"
>> This "error" is no longer reported when I go into the ASUS Z77-A UEFI firmware settings and disable "secure boot" Same here on Lenovo z510.
The thing is though my machine says "booting in insecure mode" if I turn off my secure boot... I can also disable/uninstall all the oem certs in uefi menu. It's just annoying and I don't consider turning off secure boot as a fix. Fedora 20 could have been my perfect os if it isn't for this expired cert. Also if you turn off your secure boot you will notice wifi led doesn't work for most asus machines.
-129 is EKEYREJECTED, not EKEYEXPIRED. The kernel doesn't check expiration dates any longer, so something else in the cert is likely causing it to be rejected.
Same problem with Samsung Ativ Book 9, 2014 Edition.
According to dmesg, the following occurs at boot time: [knutt@samwise ~]$ dmesg|grep 'EFI\|cert' [ 0.000000] efi: EFI v2.31 by INSYDE Corp. [ 0.000000] ACPI: UEFI 000000009affc000 000236 (v01 DELL CL09 00000001 ASL 00040000) [ 1.122097] fb0: EFI VGA frame buffer device [ 1.383896] EFI Variables Facility v0.08 2004-May-17 [ 1.709681] Loading compiled-in X.509 certificates [ 1.710274] Loaded X.509 cert 'Fedora kernel signing key: 21f4e4ec6a77c7b0fe1b3c58f2281f614d91d262' [ 1.719986] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring' [ 1.719998] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring' [ 1.720003] EFI: Problem loading in-kernel X.509 certificate (-129) [ 1.737700] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring' [ 2.729065] fb: conflicting fb hw usage inteldrmfb vs EFI VGA - removing generic driver And, yes, I am on a dual-boot laptop.
Same problem running Fedora 20 on Asus H87-I Plus board with Haswell I3.
Same on Acer E1-570G
Same problem running Fedora 19 and 20-Live on Toshiba P870 laptop. uname -a 3.14.8-100.fc19.x86_64 #1 SMP Mon Jun 16 21:53:59 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux dmesg|grep 'EFI\|cert\|X.509' [ 0.000000] efi: EFI v2.31 by INSYDE Corp. [ 0.000000] ACPI: UEFI 00000000aaffd000 000236 (v01 TOSINV TOSINV00 00000001 ACPI 00040000) [ 0.507949] fb0: EFI VGA frame buffer device [ 0.554309] EFI Variables Facility v0.08 2004-May-17 [ 0.581104] Loading compiled-in X.509 certificates [ 0.581979] Loaded X.509 cert 'Fedora kernel signing key: 81dcd7904592f99bef61db521ecc2edc8dfd9490' [ 0.583633] X.509: Got cert with pkey (0) and sig (49) algorithm OIDs [ 0.583635] EFI: Problem loading in-kernel X.509 certificate (-22) [ 0.583689] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring' [ 0.583713] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring' [ 0.583723] X.509: Cert for 'Toshiba Corporation Utility CA 2012' must have a SubjKeyId extension [ 0.583725] EFI: Problem loading in-kernel X.509 certificate (-129) [ 0.583794] MODSIGN: Couldn't get UEFI MokListRT [ 1.903211] fb: conflicting fb hw usage inteldrmfb vs EFI VGA - removing generic driver
Same here on a Lenovo G510 dualboot with Windows 8.1 UEFI. dmesg relevant part below: [ 3.940348] EFI: Problem loading in-kernel X.509 certificate (-129) Nobody?
This bug should proboably NOT be marked as High severity. After reviewing the kernel source it turns out that the kernel still loads the modules, and merely marks the kernel as 'tainted' (which isn't neary as bad as it sounds) so long as CONFIG_MODULE_SIG_FORCE is not set, : jdines@fireball$ (git::v3.16-stormbringer) grep CONFIG_MODULE_SIG_FORCE /boot/config-* -niH /boot/config-3.15.6-200.fc20.x86_64:297:# CONFIG_MODULE_SIG_FORCE is not set /boot/config-3.15.7-200.fc20.x86_64:297:# CONFIG_MODULE_SIG_FORCE is not set /boot/config-3.15.8-200.fc20.x86_64:297:# CONFIG_MODULE_SIG_FORCE is not set This is an indication that module signing isn't set up properly for Fedora 19 and 20 (and probably all of them), but so long as the maintainer doesn't enable CONFIG_MODULE_SIG_FORCE at a later date without fixing the signing issue all systems will continue to function as expected and just receive the error message.
Would it be a difficult task to fix it - it is after all a tad annoying.
Actually, yes. It isn't simple. I talked with David Howells about it last week. There are some plans but it won't be fixed soon.
I have a computer which fails starting X and it gives this error out. Can this error be fatal to starting X?
Doubtful.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 20 kernel bugs. Fedora 20 has now been rebased to 3.17.2-200.fc20. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 21, and are still experiencing this issue, please change the version to Fedora 21. If you experience different issues, please open a new bug report for those.
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in over 3 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously.
Same is still happening with Fedora 21. Excerpt from dmesg | grep -i efi: [ 0.431101] efifb: probing for efifb [ 0.431111] efifb: framebuffer at 0xe9000000, mapped to 0xffffc90005c00000, using 3072k, total 3072k [ 0.431112] efifb: mode is 1024x768x32, linelength=4096, pages=1 [ 0.431113] efifb: scrolling: redraw [ 0.431114] efifb: Truecolor: size=8:8:8:8, shift=24:16:8:0 [ 0.432298] fb0: EFI VGA frame buffer device [ 0.546842] EFI Variables Facility v0.08 2004-May-17 [ 0.565167] EFI: Problem loading in-kernel X.509 certificate (-129) [ 0.565209] EFI: Problem loading in-kernel X.509 certificate (-129) [ 0.565267] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring' [ 0.565288] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring' [ 0.565695] EFI: Loaded cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' linked to '.system_keyring' [ 0.567242] EFI: Loaded cert 'die-tessuns: Martin Tessun: ea5866aaa19f72a25b7bfdc5ac0c32428ee7ab7a' linked to '.system_keyring' [ 0.567613] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring' After all the system boots and works just fine. Interestingly I have a Laptop (which had Windows 8 preinstalled) which does not show this behaviour (same kernel): [ 2.813038] efifb: probing for efifb [ 2.813061] efifb: framebuffer at 0xc0000000, mapped to 0xffffc90004f00000, using 8100k, total 8100k [ 2.813062] efifb: mode is 1920x1080x32, linelength=7680, pages=1 [ 2.813063] efifb: scrolling: redraw [ 2.813065] efifb: Truecolor: size=8:8:8:8, shift=24:16:8:0 [ 2.816856] fb0: EFI VGA frame buffer device [ 2.947635] EFI Variables Facility v0.08 2004-May-17 [ 2.972996] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring' [ 2.973011] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring' [ 2.973347] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring' So maybe this has something to do with the uEFI keyring. Cheers, Martin
Hi Same bug here Acer TravelMate P253-M (i5) Clean Fedora 21 install, win8 removed. [ 0.000000] ACPI: UEFI 0x00000000A6FFD000 000236 (v01 ACRSYS ACRPRDCT 00000001 1025 00040000) [ 0.696434] efifb: probing for efifb [ 0.696449] efifb: framebuffer at 0xb0000000, mapped to 0xffffc90004f00000, using 4128k, total 4128k [ 0.696450] efifb: mode is 1366x768x32, linelength=5504, pages=1 [ 0.696451] efifb: scrolling: redraw [ 0.696452] efifb: Truecolor: size=8:8:8:8, shift=24:16:8:0 [ 0.698454] fb0: EFI VGA frame buffer device [ 1.060569] EFI Variables Facility v0.08 2004-May-17 [ 1.090241] EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring' [ 1.090251] EFI: Problem loading in-kernel X.509 certificate (-129) [ 1.090318] EFI: Loaded cert 'Acer: c4f0474ae6b5e67a509d99132f49a4ec13f7ac68' linked to '.system_keyring' [ 1.090342] EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.system_keyring' [ 1.090882] EFI: Loaded cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' linked to '.system_keyring' [ 1.690645] tsc: Refined TSC clocksource calibration: 2594.114 MHz [ 2.044098] fb: switching to inteldrmfb from EFI VGA [ 4.522366] SELinux: Permission audit_read in class capability2 not defined in policy. [ 4.524340] SELinux: initialized (dev efivarfs, type efivarfs), uses genfs_contexts Hope this helps in any way.
Same here, with dualboot with Windows 8.1 UEFI: [ 0.551300 EFI: Problem loading in-kernel X.509 certificate (-129) [ 0.551359 EFI: Problem loading in-kernel X.509 certificate (-129) Alex
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There are a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 21 kernel bugs. Fedora 21 has now been rebased to 3.18.3-201.fc21. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you experience different issues, please open a new bug report for those.
With kernel 3.18.3-201.fc21 ten consecutive boots without certificate warning Looks like this bug is solved :-D Well done!
Thanks for the update!
yo descargue la ultima version de centos 7 y me da el mismo problema tengo una lenovo G40-80, despues instale fedora 25 y funciona bien, pero de preferencia quisiera trabajar con centos.